[ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover

Fri Sep 21 16:32:45 UTC 2018

> On Sep 21, 2018, at 12:21 PM, Marc Blanchet <marc.blanchet at viagenie.ca> wrote:
> 
> On 21 Sep 2018, at 12:16, Eric Osterweil wrote:
> 

<snip>

> 
>> 
>>> - there are mechanisms to help/automate rollover, such as RFC5011, which shall fit with most use cases.
>> 
>> Happy to have a discussion about this (here or elsewhere), but I worry that the 5011 mechanism might need more evaluation against threat models, and subsequent enhancements.
> 
> sure. but to me « good enough » for a lot of use cases.

I guess I just don’t think that sounds like a very safe/secure way to manage operational security concerns, especially when there is this much at stake.  Consider DANE’s already_ large usage footprint.  Those systems’ security will suffer from a compromise here too.  This isn’t all gloom and doom.  Rigorous discussions and publications about on-path/off-path/topology/etc. considerations do exist (even in the context of DNSSEC).  I just really think that before we get too far down the road of rolling, then rolling again, then rolling again, we would be well served by considering the needs for resilient/secure key learning for our global Root. 

> 
>> As Ray brought up in a later comment on this, 5011 doesn't handle re-bootstrapping.
>> 
>>> - for the use cases/reasons people not use RFC5011, then it is like any manual configuration management: you take the responsability to put whatever process in your org to handle that case, since you are aware that you are taking the manual route.
>> 
>> I definitely don’t think that’s sufficient.  For real security concerns, I don’t think we can leave things at laissez faire.
> 
> laissez faire is not what I wrote. Some people prefer (for a lot of reasons, including security assessments and risks) to do manual. I’m just saying this is the reality and in that context, they have to take the responsability to do it « right ».

Fair point, those were my words (not trying to impute them to you), and if I missed your point: I’m doubly sorry.  I was just saying that there are a lot of ways this can bite us, and if we don’t make it clear how important Root KSK mgmt is, and what the height requirements are, we might pay for that later.

Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180921/3b745679/attachment.html>